Request Demo

NIST Cybersecurity Framework

IAPP The Privacy Advisor: How NIST Security Controls Might Help You Get Ready for the GDPR


Article from IAPP Author Piotr Foitzik on their blog, the Privacy Advisor

In order to get ready for the General Data Protection Regulation, companies need to thoroughly review and exercise due diligence of their existing security measures and information security frameworks. Considering that the GDPR is meant to be technology neutral, it provides very little guidance on these topics. While it aims to bring privacy from theory into practice, the onus to achieve it is on the controllers and processors of personal data.

For this reason entities are very much alone with all practical problems, while being threatened with severe administrative fines.  

So where to start? Is the solution trial and error?

Well, why not look paradoxically across the Atlantic for some inspiration? Although the U.S. and EU laws are far from each other (and some would say there seems to be no hope of fully bridging those differences), many of the security controls described by the National Institute of Standards and Technology, and designed as such for federal agencies, seem to be very much appropriate to meet the GDPR requirements (cf. ia Article 32 of the GDPR). To be sure, this would still be a high level, generic approach. Yet NIST recommendations, while being technology neutral, are meant to be technologically aware. This way, you are in a position to use some of the existing tools for tailoring your own process, considering the company's mission and business concerns. Obviously you need to start first with general solutions before going into specific security functions and using concrete management tools and techniques.

What would be the best reading materials to get you equipped with the necessary knowledge for taking this mission, while bridging the security-privacy divide? 

That very much depends on where you are, and what the level of maturity of your current security and privacy framework is.

Some of the more relevant and interesting publications to consider, would include:

Check out our guide to streamlining the NIST Cybersecurity Framework

While first two provide general structure for evaluating your information-security framework and the third with more concrete solutions to meet the security objectives, the last would be of particular use in implementing privacy by design and by default. 

In addition to that, NIST 800-53A, “Assessing Security and Privacy Controls in Federal Information Systems and Organizations,” would be handy for introducing continuous security assessments and evaluation procedures, and NIST 800-37, “Guide for Applying the Risk Management Framework to Federal Information Systems,” for applying a risk-management framework. As these are more or less vast documents to read, NIST 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” is where you might want to start with confidentiality basics.

These should support you in building fundamentals of your privacy program, which requires maintaining effective and real control over the data you have across their life-cycles, including inbound and outbound data flows. It will be very much up to you whether to create from the ground-up convoluted, multi-layered solutions, robust against any possible threats or to augment security capabilities you already have. 

Part of the process is also assessing your security and privacy controls and breach response capacities. You won't be able to notify authorities nor the data subjects about the breach, as required by the GDPR, if you cannot identify that a breach has occurred in the first place. Moreover, you will not be in a position to assess the risks, which you must do under the GDPR in a continuous manner, without having adequate risk management and assessment procedures in place. That would be also relevant for conducting a data protection impact assessment, which by its very nature requires you to be aware of the risks and to come up with practical solutions for their mitigation. Even though risks to data subjects and to the company require different approaches, some integrated solutions may still be feasible.  

Whereas, with regard to the anonymization, pseudonymization and encryption of personal data, European sources should be your primary place to look for answers (WP29 “Opinion 05/2014 on Anonymisation Techniques,”and the ENISA publication “Recommended cryptographic measures — Securing personal data," in many other areas, you might start by looking at NIST’s recommendations in the first place, while adjusting it to the GDPR requirements and to the EU broad definition of personal data. Naturally, making such adjustments without breaking the very linkage between privacy and security is not an easy task. It is necessary, however, as just following the U.S. PII model, including Fair Information Practice Principles, is certainly not enough to meet EU requirements. Still it seems tempting and rational to integrate privacy and security first, based on foundations which are not legal system dependent, and to integrate EU specifics subsequently. In contrast to what you might think, there would be very few discrepancies once you reach a certain level of maturity of your privacy and security policy. 

This approach might help you to ensure that both the security and privacy objectives are met, including confidentiality, integrity, availability and resilience of processing systems and services. In addition to that, you also need to have in place procedures for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. 

Integrating privacy and security, not to mention procedures for vendor management, are prerequisites for meeting EU data protection principles, including data minimization, transparency and accountability. This is also crucial for exercising the right to be forgotten in practice and not just in theory. The same goes for data portability, as you would first need to have effective mapping and processes for continuously monitoring the data you have, so you are aware what data fall under this data portability right.

No technique or solution is devoid of shortcomings and will provide you as such with a lasting compliance. Therefore, it is necessary to treat implementing privacy as an iterative, rather than a one-off process. 

Whenever there is no clear guidance under the GDPR on how to obtain certain security objectives, it certainly seems wiser and more rational to use existing solutions provided by NIST publications than to wait until more EU guidelines would be available. Later you could further build on what you already have, rather than start from scratch. 

Want to make your GDPR Assessment Efficient? DOWNLOAD Our Comprehensive Guide to Streamline Any Assessment.


Learn How CyberStrong Streamlines the NIST Cybersecurity Framework Adoption

You may also like

Contextualize Quantified Cyber ...
on April 11, 2019

Now more than ever, CISO’s are being tasked with delivering hard metrics around an enterprise’s technology and digital risk. While this is nothing new for seasoned IT ...

NYDFS Implementation Grace Period ...
on April 9, 2019

Following the Equifax breach and growing concerns about the posture of the financial industry, New York State Department of Financial Services (NYDFS) released the initial ...

CEO's - Do You Know Where That ...
on April 5, 2019

It is no secret that cybersecurity has mystified many members of the C-suite since the function was introduced. With headlines dominated by breaches and hearings of information ...

Jerry Layden
Carbon Black Report Indicates ...
on April 2, 2019

In their third Global Incident Response Threat Report our Massachusetts neighbor, Carbon Black, illustrates not only the top industries for cyber attack but a deeply concerning ...

Legacy GRC And The Sunk Cost ...
on March 28, 2019

Last month, we covered how legacy GRC products and new integrated risk management (IRM) solutions can co-exist and in fact compliment each other. That said, in order for them to ...

Alison Furneaux
What To Expect From The Imminent ...
on April 6, 2019

While the NIST Privacy Framework may be the headliner for the most anticipated new publication from the National Institute of Standards and Technology, there are two imminent ...